By Wouter Wijngaards
The recent disclosure by ANSSI (CVE-2013–5661) notes problems with RRL Slip and response spoofing. This document explains explains the tradeoffs. Other documents with advice:
- French announcement from ANSSI: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html
- Dutch vuln announcement: https://www.ncsc.nl/.../NCSC-2013-0597...html
- English: We do not have a link to English information. However the vulnerability number is: CVE-2013–5661
- Redbarn from Vixie: On the Time Value of Security Features in DNS
- ISC from Conry: Cache poisoning gets a second wind from RRL? Probably not.
Note that the security advise is about trade-offs between the vulnerability to reflective DoS versus the likelihood of individuals being cache poisoned and as such a generic operational DNS trade-off. There are no specific vulnerabilities in the NSD implementation; rather the vulnerability is caused by the network throttling dropping answers.
NSD has response rate limiting (RRL) implemented. This exists in NSD3 and NSD4, when configured with — enable-ratelimit. The rate limiting uses SLIP to send back truncated replies and drop other replies. The default slip rate is 2. The slip rate is randomized, and it is therefore difficult to predict exactly which response is going to be truncated and which response is going to be dropped.
When the zones served with NSD have DNSSEC signatures, it would be best to use the default slip rate of 2. Spoofing can be countered with DNSSEC validation of the signatures. And reflective DoS is countered with the RRL slip rate of 2. The slip rate of 2 causes reflective DoS attacks to lose half their bandwidth, and protects the target, while legitimate clients that are falsely identified as spoofing targets (false positives) experience delays in receiving answers.
When the zones that are loaded are not protected with DNSSEC, the choices are less optimal. The RRL slip rate of 2 solves reflection, but response spoofing, as the (ANSSI report) notes, is a problem. You can also choose an RRL slip rate of 1, which truncates every response, and the possibility to spoof responses as reported by ANSSI is removed. But with RRL slip 1 the server acts as a reflector for spoofed traffic. Albeit as a reflector that does not change the size of that traffic, so without amplification.
NLnet Labs recommends DNSSEC for DNS data protection, including detection of spoofing. We realize that operators of authoritative name servers may not be able to influence the operators of recursive name servers to turn on validation. Turning on DNSSEC on your zones allows the recursive name server operators to make their choice while a slip value of 2 decreases the attractiveness of the global DNS system as a DoS amplification tool.